Evernote hacked, recommends users change passwords now

Popular note taking service Evernote has instituted a service-wide password reset for all members, revealing that there had been suspicious activity on its network that looked like a hacking attempt.

Evernote recommends users log into Evernote.com to reset their passwords.

In a blog post on Saturday, it was revealed that Evernote's Operations & Security team had seen activity pointing toward a coordinated attempt at accessing secure features of the service. A subsequent investigation showed no signs that user content had been accessed, changed, or lost. There were also no signs that payment information for any customers had been accessed.

The hackers were able, though, to access Evernote user information, including usernames, email addresses associated with accounts, and encrypted passwords. The passwords stored by Evernote feature one-way encryption, meaning they are both hashed and salted.

Evernote now requires users to create a new password by signing into their accounts on evernote.com. Upon resetting their passwords, users will have to sign in using that password on any other Evernote apps they use.

Headline is wrong. They don't recommend changing passwords, they are forcing all users to change their passwords.

I first learned of this when a not so friendly message popped up on my Mac's Evernote app saying something like "your password has been changed" and it wouldn't sync any more. I was like "WTF? Has someone stolen my account? My password is strong, how can this be?" So I tried to login to the website. It took my password and went to a "reset your password" page. So then I was like, "Oh. Someone who had my email address asked for a reset. Still looks like a hack attempt on my account." Next move was to look for the usual email one gets when requesting a password reset. Nothing. Totally puzzled, I Googled a bit and found the news. Then, it took several attempts to actually change my password - their servers must have been slammed over this.

The point of this story is that it was handled in a very user-unfriendly manner. I can only imagine the deluge of support requests they must have gotten from the 90% of their users who couldn't work this out on their own.

That said, it was the right move to invalidate all existing passwords. The stolen hashed passwords were most certainly being subjected to brute force and dictionary attacks. I doubt they were literally "encrypted". They were most likely cryptographically hashed with salt added beforehand.

@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users, alerting them to the problem and that an email reset would be necessary upon next login. And this happened almost immediately... they didn't wait hours to send out this email.

The really big snafu was that after updating the Evernote app from an iDevice and changing passwords, sign-in failed. The password change was effectively recorded though because the website would recognize it and allow sign-in, just the app gave an error notice. Deleting and re-installing the app fixed it, but some users reported data loss. I didn't lose any of mine, but then I had an earlier version of Evernote in my old iPad so maybe it just synced from there, dunno.

I received an email notification, but I found it highly suspect. All the "log in and change your password" links were not linked to pure evernote.com URLs. The inline text links simply read "evernote.com", but actually linked to a domain similar to this: "links.evernote.mkt1388.com". I assumed it was a phishing scam, and didn't click through.

However, when I used the desktop app to try and access my account, I couldn't. I was forced to do a full log in, but then was unable to use my existing user/password combination. The error I received was something like "too many unsuccessful login attempts, please wait and try again later."

I initiated a password reset by using the 'forgot my password' function, and received a new confirmation email, this time from a pure evernote.com address. I reset my password directly, and everything resumed as normal.

I'm not sure the original email I received was legitimate. I still have it, so perhaps I'll send it to Evernote with an enquiry. It only added to my uncertainty at first...

@mydoghasfleas: Not sure what you're talking about. Evernote sent an email to every single one of their users, alerting them to the problem and that an email reset would be necessary upon next login. And this happened almost immediately... they didn't wait hours to send out this email.

Looks like some people got an email but I did not. That was the first thing I checked.